WWBN AVideo Reflected Cross-Site Scripting Vulnerability

A reflected cross-site scripting vulnerability has been identified in WWBN AVideo versions through 24.0. This issue allows unauthenticated attackers to execute arbitrary JavaScript in the context of a victim's browser. The vulnerability arises from unescaped user input in a URL parameter, which is processed by PHP's json_encode() function and then injected into a JavaScript function. The use of innerHTML to render this input bypasses proper encoding, enabling full script execution. Exploitation of this vulnerability could lead to session hijacking, account takeover, phishing attacks, propagation of self-spreading payloads, and compromise of admin accounts.

Impact

Exploitation allows for session hijacking by stealing the PHPSESSID cookie, which is not HttpOnly by default. This can lead to account takeover by using the stolen session to change password or email. Additionally, the vulnerability can be exploited to inject phishing login forms, spread self-propagating payloads, and compromise admin accounts by stealing their session cookies.

Reproduction

To reproduce this vulnerability, send a request to 'view/videoNotFound.php' with a '404ErrorMsg' URL parameter containing unescaped JavaScript, such as an image tag with an 'onerror' event. The server will respond by executing the injected JavaScript in the browser.

Remediation

Users can update to AVideo version 26.0, where this vulnerability has been fixed.